17 July 2017

Reverse Engineering Malware

I’m
used to work with network devices and security systems to improve
network performance and protect the information. However,
it seems I’m specialized to the networking and security fields but,
in fact, there are lots of subfields inside network and security like
forensics, reverse engineering, laws, pentesting, auditing, etc.
Therefore, I’m not specialized yet to any
field but I would like to write about reverse engineering this week,
which is an amazing and very technical field that only few people
know how to do it very well. Of course, I’m not one of them. I’m
newbie in this field.

Reverse
engineering is a field mainly for researches and antivirus companies
who are interested in finding exploitation techniques, discover new
encryption methods or finding encryption keys. They are also
interested in finding new de-obfuscation
techniques and investigating C&C communications. Therefore, they
know how to do a completely reverse engineering with
techniques such as static analysis, dynamic analysis, automated
analysis, even manual analysis as well. Thus,
knowing and picking the right tools is very
important for reverse engineering.

There
are many reverse engineering tools, some free and others commercials.
For instance, the most popular static
analysis tool for reverse
engineering is IDA
Pro, which
is useful for Hex rays decompiling, but if we are newbies, we can use
Radare2
for free and Linux commands like strings, file or otool. However,
there are many more static analysis tools like PeiD, PEStudio, PE32,
etc. On the other hand, there are many
dynamic analysis tools
like Immutiny debugger, OllyDbg, Sysmon, Regshot or the popular
Wireshark/TCPdump.

IDA PRO

Sandboxingis another kind
of dynamic analysis tool very popular and useful today. There
are free online sandboxes
like Malwr, Hybrid-analysis, DeepViz or VirusTotal,
and there are also commercial sandboxes
like FortiSandbox in the cloud or as anappliance on-site. Of
course, local sandboxes, or on-premise, are better than online
sandboxes because it is faster to upload the file
to the sandbox and, as a result,
we’ll have the results faster too. In addition, local sandboxes are
more customized than online sandboxes because we can choose the
language of the operating system and other kind of variables for
better analysis.

FortiSandbox

If
we don’t have a deep knowledge about malware analysis and we don’t
have enough resources either, we can use Cuckoo
Sandbox for reverse engineering
malware. It is an automated malware analysis system which
is able to analyse any malicious file under Windows, OS X, Linux and
Android. Cuckoo
is a free sandbox and 100% open source that
easily integrates with our existing frameworks and storages with the
data we want, in the way we want, with the format we want. Therefore,
it’s highly recommended to have a Sandbox
in our infrastructure then Cuckoo
Sandbox is better
than nothing. It’s another barrier for better security.

Cuckoo Sandbox

There
are many others tools which help us to know what is happening in our
infrastructure like OTX,
which is the
Collective
Intelligence Frameworkof
Alienvault and where
we can subscribe to Pulses to exchange indicators of compromise with
our USM or OSSIM. On the other hand, we can
also search for IP or domain reputation in online services like
FortiGuard.

OTX

Regards
my friendsand
remember, reverse engineering malware is a
subfield inside the security field which should be taken into account
to protect our information.